File name:

Project Devotion.rar

Full analysis: https://app.any.run/tasks/3b4f7796-65a6-432d-b541-eea133f7273b
Verdict: Malicious activity
Analysis date: April 07, 2021, 12:23:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EB7F4BC04853A30F1F9FBBBEF694A2D5

SHA1:

38B6DB0286F8C93FDBA9266C40C13CC4A4115BC6

SHA256:

431BEF6A710EE247D29F8255DCC32ACF2D349D5E596F502B5A31EF768E89CA0E

SSDEEP:

6144:XCE5kv2/BGP3enpAgXfqcR9sqcb2tzQvoMx1bfeLX:X3ui0P3UpBXZMqcSuoW1b4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Task Manager has been disabled (taskmgr)

      • Mapper.exe (PID: 3680)
      • Ransomware2.0.exe (PID: 3288)

    • Changes the login/logoff helper path in the registry

      • Mapper.exe (PID: 3680)
      • Ransomware2.0.exe (PID: 3288)

    • Changes settings of System certificates

      • Smap.exe (PID: 3856)

    • Application was dropped or rewritten from another process

      • Ransomware2.0.exe (PID: 3288)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 2904)

    • Changes the desktop background image

      • Mapper.exe (PID: 3680)
      • Ransomware2.0.exe (PID: 3288)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2904)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2904)

    • Creates a directory in Program Files

      • Smap.exe (PID: 3856)

    • Creates files in the program directory

      • Smap.exe (PID: 3856)

    • Adds / modifies Windows certificates

      • Smap.exe (PID: 3856)

    • Executable content was dropped or overwritten

      • Smap.exe (PID: 3856)

    • Drops a file that was compiled in debug mode

      • Smap.exe (PID: 3856)

    • Drops a file with too old compile date

      • Smap.exe (PID: 3856)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 2904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
13
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs cmd.exe no specs chcp.com no specs cmd.exe no specs hydra.exe no specs avoid.exe no specs mapper.exe no specs mapper.exe no specs mapper.exe smap.exe no specs smap.exe no specs smap.exe ransomware2.0.exe

Process information

PID
CMD
Path
Indicators
Parent process
1440Hydra.exe C:\Users\admin\Desktop\Project Devotion\Hydra.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hydra
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\hydra.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1536Smap.exe C:\Users\admin\Desktop\Project Devotion\Smap.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
launcher2.0
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\smap.exe
c:\systemroot\system32\ntdll.dll
1708chcp 65001C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2356C:\Windows\system32\cmd.exe /K Driver.batC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2668"C:\Users\admin\Desktop\Project Devotion\Smap.exe" C:\Users\admin\Desktop\Project Devotion\Smap.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
launcher2.0
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\smap.exe
c:\systemroot\system32\ntdll.dll
2896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Project Devotion.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2904cmd /c ""C:\Users\admin\Desktop\Project Devotion\Project Devotion.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3288"C:\Program Files\System32\Ransomware2.0.exe" C:\Program Files\System32\Ransomware2.0.exe
Smap.exe
User:
admin
Integrity Level:
HIGH
Description:
Rasomware2.0
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\system32\ransomware2.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3668"C:\Users\admin\Desktop\Project Devotion\Mapper.exe" C:\Users\admin\Desktop\Project Devotion\Mapper.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Rasomware2.0
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\mapper.exe
c:\systemroot\system32\ntdll.dll
3680"C:\Users\admin\Desktop\Project Devotion\Mapper.exe" C:\Users\admin\Desktop\Project Devotion\Mapper.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Rasomware2.0
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\mapper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
628
Read events
568
Write events
60
Delete events
0

Modification events

(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2896) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Project Devotion.rar
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
1
Suspicious files
24
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.5166\Project Devotion\Avoid.exe
MD5:
SHA256:
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.5166\Project Devotion\Driver.bat
MD5:
SHA256:
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.5166\Project Devotion\Hydra.exe
MD5:
SHA256:
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.5166\Project Devotion\Mapper.exe
MD5:
SHA256:
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.5166\Project Devotion\Project Devotion.bat
MD5:
SHA256:
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.5166\Project Devotion\Smap.exe
MD5:
SHA256:
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.5166\Project Devotion\Zero.exe
MD5:
SHA256:
3680Mapper.exeC:\Users\admin\Desktop\._cache_DCQPKX.exebinary
MD5:
SHA256:
3680Mapper.exeC:\Users\admin\Desktop\fieldsdone.rtfbinary
MD5:
SHA256:
3680Mapper.exeC:\Users\admin\Desktop\gmttotal.pngbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3856
Smap.exe
185.199.111.133:443
raw.githubusercontent.com
GitHub, Inc.
NL
suspicious
3856
Smap.exe
140.82.121.4:443
github.com
US
malicious

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.4
malicious
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Project Devotion.rar